Add password check methods by PAM.

2018-09-08 15:04:54 +08:00 · 2018-09-08 15:04:54 +08:00 · 7c7e4ed1c2
parent 9e82c08cd5
commit 7c7e4ed1c2
2 changed files with 46 additions and 9 deletions
--- a/bin/hardening/9.2.1_enable_cracklib.sh
+++ b/bin/hardening/9.2.1_enable_cracklib.sh
@ -14,9 +14,33 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=2

 PACKAGE='libpam-cracklib'
+PAMLIBNAME='libpam-cracklib.so'
 PATTERN='^password.*pam_cracklib.so'
 FILE='/etc/pam.d/common-password'

+OPTION_RETRY='retry'
+OPTION_MINLEN='minlen'
+OPTION_DCREDIT='dcredit'
+OPTION_UCREDIT='ucredit'
+OPTION_OCREDIT='ocredit'
+OPTION_LCREDIT='lcredit'
+OPTION_DIFOK='difok'
+OPTION_MINCLASS='minclass'
+OPTION_MAXREPEAT='maxrepeat'
+OPTION_MAXCLASSREPEAT='maxclassrepeat'
+
+# condition 
+RETRY_CONDT=3
+MINLEN_CONDT=14
+DCREDIT_CONDT=-1
+UCREDIT_CONDT=-1
+OCUEDIT_CONDT=-1
+LCREDIT_CONDT=-1
+DIFOK_CONDT=8
+MINCLASS_CONDT=4
+MAXREPEAT=3
+MAXCLASSREPEAT_CONDT=4
+
 # This function will be called if the script status is on enabled / audit mode
 audit () {
    is_pkg_installed $PACKAGE
@ -27,6 +51,20 @@ audit () {
        does_pattern_exist_in_file $FILE $PATTERN
        if [ $FNRET = 0 ]; then
            ok "$PATTERN is present in $FILE"
+            check_password_by_pam $OPTION_DCREDIT gt $DCREDIT_CONDT  
+            if [ $FNRET = 0 ]; then
+                ok "$OPTION_DCREDIT set condition is $DCREDIT_CONDT"
+            else
+                cirt "$OPTION_DCREDIT set condition is $DCREDIT_CONDT"
+                FNRET=1
+            fi
+            #ok "$PATTERN is present in $FILE"
+            #check_password_by_pam $OPTION_RETRY gt $RETRY_CONDT  
+            #if [ $FNRET = 0 ]; then
+            #    ok "$OPTION_RETRY set condition is $RETRY_CONDT"
+            #else
+            #    crit "$OPTION_RETRY set condition is $RETRY_CONDT"
+                FNRET=1
        else
            crit "$PATTERN is not present in $FILE"
        fi
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -441,18 +441,17 @@ verify_integrity_all_packages()
    fi
 }

-check_password_pam()
+check_password_by_pam()
 {
-    LOCATION=$1
-    KEYWORD=$2
-    OPTION=$3
-    COMPARE=$4
-    CONDITION=$5
+    OPTION=$1
+    COMPARE=$2
+    CONDITION=$3
+
+    LOCATION="/etc/pam.d/common-password"  
+    #For debian is common-password ,for Gentoo and Red hat the file is system-auth
+    KEYWORD="pam_cracklib.so"

    #Example:
-    #LOCATION="/etc/pam.d/common-password"  
-    #For debian is common-password ,for Gentoo and Red hat the file is system-auth
-    #KEYWORD="pam_cracklib.so"
    #OPTION="ocredit"
    #COMPARE="gt"
    #CONDITION="-1"